The best way to restrict access, provide privilege elevation, RBAC, MFA, time-fencing, attestation and reporting is to use Centrify Standard Edition (DirectAuthorize) and not only you can control SSH access, but any PAM-enabled app.
With Centrify Express
- Via SSH you can use AllowUsers/AllowGroups directives
- For restricting access via console, you could use access.conf
R.P